A recent survey of regional data protection authorities in Germany has revealed 75 cases of reported personal data breaches since the GDPR came into effect on 25 May 2018. As a result, German authorities have imposed punitive fines totalling €449,000.
Germany differs from Ireland as the responsibility for monitoring and ensuring compliance with the GDPR and national data protection laws is delegated to each of the 16 German states, with each state possessing its own authority. A committee consisting of representatives from each regional authority (the ‘Data Protection Conference’) has also been appointed to ensure that a consistent approach is taken throughout the states.
So far, fines have been imposed in six of the sixteen federal states. The highest fines have been reported in the Baden-Wurttemberg region (€203, 000 across seven cases), Rhineland-Palatinate region (€124,000 across nine cases) and Berlin (€105,600 across eighteen cases). Examples of commonly reported GDPR violations include inadequate technical or organisational security measures (e.g. storing user password in non-encrypted form), non-compliance with information duties (e.g. lack of transparency around processing activities) and unauthorized marketing e-mails.
Recent data breach investigations
We have set out below a summary of two recent cases investigated by the German authorities.
1. Storage of unencrypted passwords
The German chat and dating service “Knuddels” was fined €20,000 in November 2018, following a data breach in which hackers were able to steal the personal data of approximately 300,000 users. Following reports from its own users, the company diligently reported the breach to the relevant state authority in line with its obligations under Article 33 of the GDPR.
As a result of the subsequent investigation, it was found that the company had stored passwords of its users in an unencrypted plain text format. This amounted to a significant breach of its obligation to implement appropriate technical safeguards for the protection of its user’s data in line with Article 32 of the GDPR.
The German authority noted the company’s willingness to engage with the investigation, and to undertake significant improvements to its IT security architecture. In a statement released by the State Commissioner for Data Protection and Freedom of Information, Dr Stefan Brink, it was noted that companies which are willing to learn from such incidents and to act transparently in rectifying data protection shortcomings can emerge stronger as a company, following a hacker attack. Dr Brink concluded that national authorities should avoid “a competition for the highest possible fines”, but instead focus on “improving privacy and data security for the users”.
2. Inadequate data processing contract
A €5,000 penalty was imposed on a small shipping company for failing to have an adequate contract in place governing the data processing activities carried out on the company’s behalf by third party contractors. Article 28(3) of the GDPR requires such contracts to impose certain mandatory obligations on processors.
Following investigation, the German authority concluded that sensitive personal data had been transmitted to a third party unlawfully due to the absence of a contract governing the controller / processor relationship. It was also noted that the both the company and contractor had failed to take their obligations seriously, and had instead attempted to evade responsibility rather than cooperate with the authority to rectify their shortcomings.
This case demonstrates that the GDPR is not only of concern for multinational corporations with large-scale data processing activities. Small to medium sized enterprises must also be fully aware of their obligations to comply with data protection legislation in order to avoid investigatory action by data protection authorities and potentially punitive fines.
These cases serve as a reminder of the importance of proactive cooperation with regulators at all levels of the organisation in order to mitigate the adverse effects of a personal data breach, and of ensuring that policies, systems and the company culture are designed with GDPR compliance in mind. It is vital not to overlook the basics, such as ensuring that proportionate security measures are implemented to protect particularly sensitive personal data.